[Glibc-bsd-commits] r1653 - in trunk/kfreebsd-6/debian: . patches

Thu Aug 31 17:56:44 UTC 2006

Author: ps-guest
Date: 2006-08-31 17:56:44 +0000 (Thu, 31 Aug 2006)
New Revision: 1653

Added:
   trunk/kfreebsd-6/debian/patches/000_ppp.diff
Modified:
   trunk/kfreebsd-6/debian/changelog
Log:
 * fix buffer overflow in sppp (FreeBSD-SA-06:08.ppp / CVE-2006-4304).



Modified: trunk/kfreebsd-6/debian/changelog
===================================================================

--- trunk/kfreebsd-6/debian/changelog	2006-08-25 19:20:36 UTC (rev 1652)
+++ trunk/kfreebsd-6/debian/changelog	2006-08-31 17:56:44 UTC (rev 1653)
@@ -1,10 +1,14 @@
 kfreebsd-6 (6.1-0.2) UNRELEASED; urgency=low
 
+  [ Aurelien Jarno ]
   * patches/999_config.diff: remove COMPAT_LINUX from amd64. 
 
+  [ Petr Salinger ]
+  * Fix buffer overflow in sppp (FreeBSD-SA-06:08.ppp / CVE-2006-4304).
+
  -- Aurelien Jarno <aurel32 at debian.org>  Thu, 17 Aug 2006 11:48:07 +0200
 
-kfreebsd-6 (6.1-0.1) UNRELEASED; urgency=low
+kfreebsd-6 (6.1-0.1) unreleased; urgency=low
 
   [ Petr Salinger ]
   * New upstream version (RELENG_6_1_0_RELEASE)

Added: trunk/kfreebsd-6/debian/patches/000_ppp.diff
===================================================================
--- trunk/kfreebsd-6/debian/patches/000_ppp.diff	                        (rev 0)
+++ trunk/kfreebsd-6/debian/patches/000_ppp.diff	2006-08-31 17:56:44 UTC (rev 1653)
@@ -0,0 +1,134 @@
+
+Topic:          Buffer overflow in sppp
+CVE Name:       CVE-2006-4304
+
+# fetch http://security.FreeBSD.org/patches/SA-06:18/ppp.patch
+
+
+Index: sys/net/if_spppsubr.c
+===================================================================
+RCS file: /home/ncvs/src/sys/net/if_spppsubr.c,v
+retrieving revision 1.124
+diff -u -I__FBSDID -r1.124 if_spppsubr.c
+--- sys/net/if_spppsubr.c	15 Jul 2006 02:49:35 -0000	1.124
++++ sys/net/if_spppsubr.c	21 Aug 2006 11:32:49 -0000
+@@ -2363,7 +2363,8 @@
+ 
+ 	/* pass 1: check for things that need to be rejected */
+ 	p = (void*) (h+1);
+-	for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
++	for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
++	    len-=p[1], p+=p[1]) {
+ 		if (debug)
+ 			log(-1, " %s ", sppp_lcp_opt_name(*p));
+ 		switch (*p) {
+@@ -2442,7 +2443,8 @@
+ 
+ 	p = (void*) (h+1);
+ 	len = origlen;
+-	for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
++	for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
++	    len-=p[1], p+=p[1]) {
+ 		if (debug)
+ 			log(-1, " %s ", sppp_lcp_opt_name(*p));
+ 		switch (*p) {
+@@ -2584,7 +2586,8 @@
+ 		    SPP_ARGS(ifp));
+ 
+ 	p = (void*) (h+1);
+-	for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
++	for (; len >= 2 && p[1] >= 2 && len >= p[1];
++	    len -= p[1], p += p[1]) {
+ 		if (debug)
+ 			log(-1, " %s ", sppp_lcp_opt_name(*p));
+ 		switch (*p) {
+@@ -2648,7 +2651,8 @@
+ 		    SPP_ARGS(ifp));
+ 
+ 	p = (void*) (h+1);
+-	for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
++	for (; len >= 2 && p[1] >= 2 && len >= p[1];
++	    len -= p[1], p += p[1]) {
+ 		if (debug)
+ 			log(-1, " %s ", sppp_lcp_opt_name(*p));
+ 		switch (*p) {
+@@ -3039,7 +3043,8 @@
+ 		log(LOG_DEBUG, SPP_FMT "ipcp parse opts: ",
+ 		    SPP_ARGS(ifp));
+ 	p = (void*) (h+1);
+-	for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
++	for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
++	    len-=p[1], p+=p[1]) {
+ 		if (debug)
+ 			log(-1, " %s ", sppp_ipcp_opt_name(*p));
+ 		switch (*p) {
+@@ -3108,7 +3113,8 @@
+ 		       SPP_ARGS(ifp));
+ 	p = (void*) (h+1);
+ 	len = origlen;
+-	for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
++	for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
++	    len-=p[1], p+=p[1]) {
+ 		if (debug)
+ 			log(-1, " %s ", sppp_ipcp_opt_name(*p));
+ 		switch (*p) {
+@@ -3239,7 +3245,8 @@
+ 		    SPP_ARGS(ifp));
+ 
+ 	p = (void*) (h+1);
+-	for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
++	for (; len >= 2 && p[1] >= 2 && len >= p[1];
++	    len -= p[1], p += p[1]) {
+ 		if (debug)
+ 			log(-1, " %s ", sppp_ipcp_opt_name(*p));
+ 		switch (*p) {
+@@ -3285,7 +3292,8 @@
+ 		    SPP_ARGS(ifp));
+ 
+ 	p = (void*) (h+1);
+-	for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
++	for (; len >= 2 && p[1] >= 2 && len >= p[1];
++	    len -= p[1], p += p[1]) {
+ 		if (debug)
+ 			log(-1, " %s ", sppp_ipcp_opt_name(*p));
+ 		switch (*p) {
+@@ -3511,7 +3519,8 @@
+ 		    SPP_ARGS(ifp));
+ 	p = (void*) (h+1);
+ 	ifidcount = 0;
+-	for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
++	for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
++	    len-=p[1], p+=p[1]) {
+ 		if (debug)
+ 			log(-1, " %s", sppp_ipv6cp_opt_name(*p));
+ 		switch (*p) {
+@@ -3561,7 +3570,8 @@
+ 	p = (void*) (h+1);
+ 	len = origlen;
+ 	type = CONF_ACK;
+-	for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
++	for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
++	    len-=p[1], p+=p[1]) {
+ 		if (debug)
+ 			log(-1, " %s", sppp_ipv6cp_opt_name(*p));
+ 		switch (*p) {
+@@ -3660,7 +3670,8 @@
+ 		    SPP_ARGS(ifp));
+ 
+ 	p = (void*) (h+1);
+-	for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
++	for (; len >= 2 && p[1] >= 2 && len >= p[1];
++	    len -= p[1], p += p[1]) {
+ 		if (debug)
+ 			log(-1, " %s", sppp_ipv6cp_opt_name(*p));
+ 		switch (*p) {
+@@ -3706,7 +3717,8 @@
+ 		    SPP_ARGS(ifp));
+ 
+ 	p = (void*) (h+1);
+-	for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
++	for (; len >= 2 && p[1] >= 2 && len >= p[1];
++	    len -= p[1], p += p[1]) {
+ 		if (debug)
+ 			log(-1, " %s", sppp_ipv6cp_opt_name(*p));
+ 		switch (*p) {


